rails_authorize 1.2.0 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/Gemfile.lock +1 -1
- data/README.md +32 -0
- data/lib/rails_authorize.rb +52 -0
- data/lib/rails_authorize/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2cb3884b42e51fd374efd4ec6ab32722c9768b21c8fa231ab596cc13ce4f1c3f
|
4
|
+
data.tar.gz: 8f09efa6582611bc97096f239c577a0fcc9aedd89c7743569e5ac4d63ffc5270
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5986cf3067bf081ae0568a047f1f42ce92a001dff3f1697517b71bd8321ec34f318774b1db53def84825aaa60c6228cd227ec17799ba76ec22f16ce891b13569
|
7
|
+
data.tar.gz: efb24985a05d4e0cb98f7864d7c0d24c17b0befdcf9ffe71368891e77500fffc6874ff4bf7a7fe412de03ba40b9cd131102f13b5f7a333c9adfee6df20148cc1
|
data/.gitignore
CHANGED
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -1,4 +1,5 @@
|
|
1
1
|
# RailsAuthorize
|
2
|
+
[![Gem Version](https://badge.fury.io/rb/rails_authorize.svg)](https://badge.fury.io/rb/rails_authorize)
|
2
3
|
![Build Status](https://travis-ci.org/rjurado01/rails_authorize.svg?branch=master)
|
3
4
|
|
4
5
|
Simple and flexible authorization Rails system inspired by Pundit.
|
@@ -230,6 +231,37 @@ class PostPolicy < ApplicationPolicy
|
|
230
231
|
end
|
231
232
|
end
|
232
233
|
```
|
234
|
+
## Ensuring authorization and scoping are performed
|
235
|
+
|
236
|
+
In certain kind of applications where almost all or even the whole application is private, in each of the actions you have to make sure that authorization is performed. To make sure that developers perform authorization, RailsAuthorize provides two methods. `verify_authorized` makes sure that authorization is performed, and likewise `verify_policy_scoped` checks that scoping is performed
|
237
|
+
|
238
|
+
Both methods are mainly aimed to be called on `after_action`.
|
239
|
+
```ruby
|
240
|
+
class ApplicationController < ActionController::Base
|
241
|
+
include RailsAuthorize
|
242
|
+
after_action :verify_authorized, except: :index
|
243
|
+
after_action :verify_policy_scoped, only: :index
|
244
|
+
end
|
245
|
+
```
|
246
|
+
|
247
|
+
### Skipping verification
|
248
|
+
|
249
|
+
If you're using `verify_authorized` in your controllers but need to conditionally bypass verification, you can use `skip_authorization`. For bypassing `verify_policy_scoped`, use `skip_policy_scope`.
|
250
|
+
```ruby
|
251
|
+
def create
|
252
|
+
record = Record.new(attributes)
|
253
|
+
|
254
|
+
if record.valid?
|
255
|
+
authorize record
|
256
|
+
else
|
257
|
+
skip_authorization
|
258
|
+
end
|
259
|
+
end
|
260
|
+
```
|
261
|
+
|
262
|
+
## Rspec
|
263
|
+
|
264
|
+
For writing expressive tests for your policies in RSpec you can use this gem: [rails_authorize_matchers](https://github.com/pacop/rails_authorize_matchers)
|
233
265
|
|
234
266
|
## Development
|
235
267
|
|
data/lib/rails_authorize.rb
CHANGED
@@ -3,6 +3,8 @@ require 'rails_authorize/version'
|
|
3
3
|
module RailsAuthorize
|
4
4
|
# Error that will be raised when authorization has failed
|
5
5
|
class NotAuthorizedError < StandardError; end
|
6
|
+
class AuthorizationNotPerformedError < StandardError; end
|
7
|
+
class ScopingNotPerformedError < StandardError; end
|
6
8
|
|
7
9
|
##
|
8
10
|
# Finds policy class for given target and returns new instance
|
@@ -38,6 +40,8 @@ module RailsAuthorize
|
|
38
40
|
|
39
41
|
raise(NotAuthorizedError) unless policy.public_send(action)
|
40
42
|
|
43
|
+
@_policy_authorized = true
|
44
|
+
|
41
45
|
target
|
42
46
|
end
|
43
47
|
|
@@ -50,6 +54,8 @@ module RailsAuthorize
|
|
50
54
|
# @return [Scope] policy scope
|
51
55
|
#
|
52
56
|
def policy_scope(target, options={})
|
57
|
+
@_policy_scoped = true
|
58
|
+
|
53
59
|
policy(target, options).scope
|
54
60
|
end
|
55
61
|
|
@@ -69,6 +75,8 @@ module RailsAuthorize
|
|
69
75
|
|
70
76
|
raise(NotAuthorizedError) unless policy.public_send(action)
|
71
77
|
|
78
|
+
@_policy_scoped = @_policy_authorized = true
|
79
|
+
|
72
80
|
policy.scope
|
73
81
|
end
|
74
82
|
|
@@ -100,4 +108,48 @@ module RailsAuthorize
|
|
100
108
|
|
101
109
|
params.require(param_key).permit(*policy.public_send(method_name))
|
102
110
|
end
|
111
|
+
|
112
|
+
# Raises an error if authorization has not been performed
|
113
|
+
#
|
114
|
+
# @raise [AuthorizationNotPerformedError] if authorization has not been performed
|
115
|
+
# @return [void]
|
116
|
+
def verify_authorized
|
117
|
+
raise AuthorizationNotPerformedError, self.class unless policy_authorized?
|
118
|
+
end
|
119
|
+
|
120
|
+
# Allow this action not to perform authorization.
|
121
|
+
#
|
122
|
+
# @return [void]
|
123
|
+
def skip_authorization
|
124
|
+
@_policy_authorized = true
|
125
|
+
end
|
126
|
+
|
127
|
+
# Raises an error if policy scoping has not been performed
|
128
|
+
#
|
129
|
+
# @raise [AuthorizationNotPerformedError] if policy scoping has not been performed
|
130
|
+
# @return [void]
|
131
|
+
def verify_policy_scoped
|
132
|
+
raise ScopingNotPerformedError, self.class unless policy_scoped?
|
133
|
+
end
|
134
|
+
|
135
|
+
# Allow this action not to perform policy scoping.
|
136
|
+
#
|
137
|
+
# @return [void]
|
138
|
+
def skip_policy_scope
|
139
|
+
@_policy_scoped = true
|
140
|
+
end
|
141
|
+
|
142
|
+
protected
|
143
|
+
|
144
|
+
# @return [Boolean] whether authorization has been performed, i.e. whether
|
145
|
+
# one {#authorize} or {#skip_authorization} has been called
|
146
|
+
def policy_authorized?
|
147
|
+
@_policy_authorized == true
|
148
|
+
end
|
149
|
+
|
150
|
+
# @return [Boolean] whether policy scoping has been performed, i.e. whether
|
151
|
+
# one {#policy_scope} or {#skip_policy_scope} has been called
|
152
|
+
def policy_scoped?
|
153
|
+
@_policy_scoped == true
|
154
|
+
end
|
103
155
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rails_authorize
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- rjurado01
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-08-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|